[OpenID] Security related Use Cases?
Ben Laurie
benl at google.com
Wed Oct 22 09:55:11 UTC 2008
On Wed, Oct 22, 2008 at 4:18 AM, Dick Hardt <dick at sxip.com> wrote:
> I would guess Ben is talking about authentication to the RP
Actually, I meant any authentication - what does authentication to the
RP mean, anyway? If I am authenticating to it directly, then it isn't
an RP, right?
>
> -- Dick
>
> On 21-Oct-08, at 7:52 PM, Allen Tom <atom at yahoo-inc.com> wrote:
>
>> OpenID does not specify how the user authenticates with their OP, so OPs
>> which support hooks for client side authentication seem to address your
>> concerns.
>>
>> Allen
>>
>> Ben Laurie wrote:
>>>
>>> So if we're going to embark on a UX consistency campaign, should we
>>> not do it around authentication that actually is safe - that is:
>>>
>>> a) Built in to the browser, s.t. it can't be faked by webpages
>>>
>>> b) Does not reveal the user's password in the process of authentication?
>>>
>>> Continuing to try to prop up the house of cards that is authentication
>>> on webpages seems counterproductive to me.
>>>
>>
>
More information about the general
mailing list